>> From: Thomas Paumier [mailto:thomas dot paumier at tiscali dot fr]
>> Sent: Saturday, December 20, 2003 3:16 PM
>> To: m0n0wall at lists dot m0n0 dot ch
>> Subject: [m0n0wall] Trafic shaper seems doesn't work as expected
>>
>> Hello !
>>
>> In first, I have read ALL 1400+ emails before posting this one.
>> I am a student in computer network administration (2nd level) in France.
>>
>> I have installed a m0n0-box in a friend's cybercoffee shop. It's a small
PC (p2
>> 300,64sd, 2Go hd) but fits perfectly requirements for the usage we have.
>> I want to say that i love your software ! I am pretty experienced with
linux --
>> i know that FreeBSD is NOT linux, don't bash me ! :p -- from the start
and i
>> like "a box for all" policy.
>>
>> I connect to internet trought a RP114 wich is in WAN side, customers can
play as
>> always, but (yes, there's always a "but" :-( ), it seems i don't
understand how
>> shaper works.
>>
>> I have read a reply from M. Manuel Kasper (April, 2) then i have set this
rule
>> for testing :
>> If=Lan, Proto=FTP, Source=any, Port=FTP(21), Destination = LAN Subnet,
>> Port=FTP(21), Bandwidth=64, Delay=Nul, Mask=destination.
>>
>> But after this a user can still download a file at 90ko/s without any
problem
>> (through ftp protocol) from internet. I'm totally stuck, i don't
understand how
>> define rules for traffic shaping and it's the first goal of my m0n0-box.
>>
>> Could you please give me some help ?
>>
> From: "Alan" <junk at alan2 dot com>
> To: "'Thomas Paumier'" <thomas dot paumier at tiscali dot fr>;
<m0n0wall at lists dot m0n0 dot ch>
> Sent: Sunday, December 21, 2003 6:34 AM
> Subject: RE: [m0n0wall] Traffic shaper seems doesn't work as expected
>
> I am just making a guess as to why this is not working... Monowall may
work some
> ftp magic behind the scenes that I'm not aware of..
>
> Only the FTP control information is passed through port 21.
>
> All the data transfer happens on port 20 if you use active FTP, so you can
try
> limiting port 20..
>
> If you use passive FTP (most FTP clients do nowadays), then as far as I
know,
> you cannot predict what port the data connection will use, and it becomes
much
> more difficult to control...
>
> -Alan
>
The problem with FTP is that if you are using active FTP you have to permit
inbound connections from ANY to your FTP client for any source port > 1024.
If you are using passive FTP, the data connection is an outbound request
from the client on any port > 1024 to a random port > 1024 on the
destination side. That won't be easy to shape the traffic.
A better solution might be to enable ftp-proxy on the m0n0wall box (not sure
how much load this would create). Outbound FTP connections are redirected
to the ftp-proxy on the localhost which can restrict the range of ports to
be used for the data connections. The firewall rules can be made much more
secure and permit passive and active FTP.
It works well on OpenBSD and I see the ftp-proxy command is available on
FreeBSD as well (although not as feature rich).
- Kevin